[BUZZOK-28206] Fix broken requirements.txt in GenAI Agents environment (Need to remove all ; things in requirements.txt)
#1724
Conversation
![semgrep-code-datarobot[bot]](https://avatars.githubusercontent.com/u/5280184?s=60&v=4){kind=small}
| ptyprocess==0.7.0 ; os_name != 'nt' or (sys_platform != 'emscripten' and sys_platform != 'win32') | ||
| pure-eval==0.2.3 | ||
| py-rust-stemmers==0.1.5 | ||
| protobuf==5.29.4 |
There was a problem hiding this comment.
Risk: Affected versions of protobuf are vulnerable to Uncontrolled Recursion. The pure-Python implementation of Protocol Buffers is vulnerable to a denial-of-service attack when processing untrusted data with deeply nested or recursive groups/messages, potentially causing the Python recursion limit to be exceeded.
Manual Review Advice: A vulnerability from this advisory is reachable if you have setup the Protobuf pure-Python backend (the other backends are safe)
Fix: Upgrade this library to at least version 5.29.5 at datarobot-user-models/public_dropin_environments/python311_genai_agents/requirements.txt:83.
Reference(s): GHSA-8qvm-5x2c-j2w7, CVE-2025-4565
🍰 Fixed in commit 6d30203 🍰
mjnitz02
changed the title
; things in requirements.txt)
|
The Needs Review labels were added based on the following file changes. Team @datarobot/buzok (#genai) was assigned because of changes in files:public_dropin_environments/python311_genai_agents/env_info.json public_dropin_environments/python311_genai_agents/requirements.txt If you think that there are some issues with ownership, please discuss with C&A domain at #sdtk slack channel and create PR to update DRCODEOWNERS\CODEOWNERS file. |
| nvidia-nat-crewai==1.3.0rc3 ; python_full_version >= '3.11' | ||
| nvidia-nat-langchain==1.3.0rc3 ; python_full_version >= '3.11' | ||
| nvidia-nat-opentelemetry==1.3.0rc3 ; python_full_version >= '3.11' | ||
| numpy==1.26.4 |
There was a problem hiding this comment.
Hmmm... Yea, maybe this is a problem. The requirements.txt here is technically fake and it only exists in a python 3.11 image. The issue is that its hard to create a drum compatible requirements.txt from a uv.lock file. The two things don't really co-exist very easily together.
| nvidia-nat-opentelemetry==1.3.0rc3 ; python_full_version >= '3.11' | ||
| numpy==1.26.4 | ||
| numpy==2.3.4 | ||
| nvidia-nat==1.3.0rc3 |
There was a problem hiding this comment.
nat requires python >= 3.11
| s3transfer==0.13.1 | ||
| scipy==1.15.3 ; python_full_version < '3.11' | ||
| scipy==1.16.2 ; python_full_version >= '3.11' | ||
| scipy==1.15.3 |
3 participants
This repository is public. Do not put here any private DataRobot or customer's data: code, datasets, model artifacts, .etc.
Summary
Previous format seems to be incompatible with drum installer. We don't actually use this really, but we need it just for records